Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
a
n
c
e
p
r
v
u
e
R
i s
k
t a
r g
e
t
PCS Xxxxx
Xxxx xxx xx xxx xxxx
.
Responsable : M. Xyv
Fin
2011
PCS Erreurs
d'excution xxxx
1) xxxxx x xxx xxxx .
2) xxxx xxxx xxx x xxx
Responsable : A. Ghj
2011
PCS Survenance d'un
problme xxxxx
Xxxxx xx xx xx xx x xx xx
Xxx xx xxx xxxx .
Responsable : R. Hgk
2011
1
1
1
1
Svrit
5
4
3
2
1
0
Frquence
5 4 3 2 1 0
1
9
12
17
11
Svrit
5
4
3
2
1
0
Frquence
5 4 3 2 1 0
1
4
2
1
4
1
Z
o
n
e
d
e
s
ris
q
u
e
s
m
o
d
r
s
e
t fa
ib
le
s
n
o
n
d
ta
ill
s
EXCEL
WORD
POWERPOINT
Manual process
using MS Office
tools
1 =
2 =
3 =
4 =
5 =
L
e
g
a
l e
n
tity
/ s
ite
ID
D
a
te
o
f E
n
try
L
a
s
t u
p
d
a
te
Unit Risk Description
Risk
Category
Description by Unit
E
ffectiveness of
S
trategies
Likelihood/Frequency
Im
pact/Severity
Am
ount for Financial im
pact
in CHF
Level of Residual Risk
Likelihood/Frequency
Im
pact/Severity
Level of Residual Risk
Likelihood/Frequency
Im
pact/Severity
Level of Residual Risk
Description
by Unit
Description by Unit
(short description
of key elements)
Likelihood/Frequency
Im
pact/Severity
Am
ount for Financial im
pact
in CHF
Level of Residual Risk
Likelihood/Frequency
Im
pact/Severity
Level of Residual Risk
Likelihood/Frequency
Im
pact/Severity
Level of Residual Risk
O
ve
ra
ll re
sp
o
n
sib
le
D
e
a
d
lin
e
O
ve
ra
ll p
ro
g
re
ss
D
a
te
o
f clo
sin
g
G
E
8051
31.12.08
30.06.10
PF xxx Organisation
Contrles / rconciliation
quotidienne des positions...
H 2 1
100'000
L 2 2 M Nombre d'incidents - 2 1
100'000
L 2 2 M
G
E
8052
31.12.08
30.06.10
PF xxx Technique
Reporting des incidents
Contrle 4 yeux pour chaque
opration
L 3 2
1'000'000
M 3 3 H 3 1 L Rapport d'erreurs
- Automatisation des
contrles
- Abaissement des
niveaux d'alerte
3 2
1'000'000
M 3 2 M 3 1 L
B
. M
np
31.03.11
25%
G
E
/ LU
X
8053
30.06.09
30.06.10
PF xxx Humain xxx M 2 4
10'000'000
H 2 2 M Nombre d'incidents
- Projet scurisation des
donnes
- Projets d'volution du
MIS
2 3
5'000'000
M 2 2 M 2 1 L
A
. X
yz
31.12.10
85%
G
E
8054
31.12.09
30.06.10
PF xxx Externe xxx H 4 1
200'000
M 4 3 H 4 3 H Nombre de pannes xxx 3 1
200'000
L 3 3 H 3 1 L
G
. F
gh
31.12.10
90%
Evaluation of Target Risk
Identified Risks
Action plan to reduce risk
Financial Risk
Reputational
Risk
Key Risk
Indicators
Other Risks Financial Risk
Reputational
Risk Other Risks
Min.
0
Max.
1'000'000
5'000'000
20'000'000
500'000
Analysis & Evaluation of
Residual Risk
Existing Controls /
Mitigation
Techniques
5'000'001
20'000'001
Group Risk Register for Operational Risks Unit / Date
500'001
1'000'001
1 = Rare : 5 years
2 = Unlikely : 1 - 5 years
3 = Possible : < 1 year
4 = Likely : monthly
5 = Almost certain : weekly
L i k e l i h o o d - F r e q u e n c y
1 - 3 Low Risk
4 - 6 Moderate Risk
8 - 12 High Risk
15 - 25 Extremely High Risk
R
i s k r a n k i n g
1 = Insignificant :
No media attention.
Minor complaint.
2 = Minor :
No media attention.
Multiple minor complaints.
3 = Moderate :
Local media reporting.
Moderate complaints.
4 = Major :
National & international media
reporting. Major complaints.
5 = Extreme :
Long term negative image.
Substantial complaints with losses.
R
e p u t a t i o n a l d a m
a g e
1 = Insignificant : No regulatory consequence.
2 = Minor :
No regulatory consequence.
Minor reversible injury.
3 = Moderate :
Limited regulatory consequence.
Moderate reversible injury.
4 = Major :
Significant regulatory consequence.
Major injury.
5 = Extreme :
Closure of major part of business.
Irreversible injury.
O
t h e r i m
p a c t o r d a m
a g e
Financial im
pact
B
L / E
ntity scale
Risk Register
by Group Unit
Sent to
Group-
Risk by
email
Manual risks
consolidation
Discussion
of risk map
between G-
R and Unit
Group
Risk
Report
released
3
SAP-GRC Project
9 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Main objectives of the SAP-GRC Project
10 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Reduce the risk of operational risks non-detection by interlinking
information
Reduce the administrative workload to concentrate on tasks with
high added value
A unique tool in the Group for the management of all types of
operational risks
Provide a complete functional coverage in a structured and
standardized framework
Improve compliance to Finma-Circ. 08/24 Supervision and internal
control banks and Finma Circ. 08/21 Operational risks at banks
Preliminary phases
11 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
2011
Study of market risk management tools
Contacts with various banks that have deployed integrated tools for operational
risk management
Choice of the tool ORC (Interexa), used by
2012
Workshops with Interexa : March - April
Workshops with Unit Risk Managers : June
Decision to stop ORC and start SAP : August
Final estimated cost too high
ORC doesnt provide an internal control module
Presentation by SAP of GRC (including internal control module)
Strong sponsorship by Pictet IT as SAP already used for Finances and HR
SAPPORO Project Risk Management module
12 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Selection of SAP-GRC : August 2012
Proof of Concept : November 2012
Start of SAPPORO Project :
Preliminary phase with Riscomp : February-March 2013
Business Blueprint : April 2013
Implementation and UAT with Riscomp : May-July 2013
Training and UAT with Unit Risk Managers : May-June 2013
Go-Live : 29
th
July 2013
The 3 phases of the SAPPORO Project
13 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Internal Control Syst.
Study - Implementation
Phase 2
08.2013 06.2014
Risk Management
Study - Implementation
Phase 1
Incidents
Study - Implementation
Phase 3
4
Main challenges of SAP-GRC
implementation
14 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Main challenges
15 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
1. Decentralised operational risk management
Challenges were:
- Collecting Unit Risk Managers needs, with very different
maturity on the operational risk management process
- Various approaches (bottom up, top down, mixed)
- Implement a solution that suits all, within a reasonable budget
Integration of decentralised Unit Risk Managers throughout
the project
Pictet Methodology
P
i
c
t
e
t
G
r
o
u
p
P
o
l
i
c
y
f
o
r
O
p
e
r
a
t
i
o
n
a
l
R
i
s
k
s
Main challenges
16 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
1. Decentralised operational risk management
2. Matrix organisation
Pictet Methodology
P
i
c
t
e
t
G
r
o
u
p
P
o
l
i
c
y
f
o
r
O
p
e
r
a
t
i
o
n
a
l
R
i
s
k
s
Matrix Organisation
17 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Multiple business lines,
crossed with multiple legal entities,
in 25 sites in the world.
Reporting needs:
By business line (for the Management)
By legal entity (for Supervision
Authority)
By site (for local Management)
Pictet Wealth
Management
Pictet Asset
Management
Distribution
Pictet Asset Services
Pictet Asset
Management
Investment
Ngoce
Etc
Example of business lines Example of legal entities
Pictet & Cie (Europe) SA
Paris Branch
Italian Branch
Hong Kong Branch
Etc
Pictet Funds SA
Bank Pictet (Asia)
Ltd, Singapore
Pictet Asset
Management Ltd
Pictet Investment
Co. Ltd, London
Etc
Solution = 3 costumed defined fields within the
Organisational Unit:
Team name
Company name
Site name
Matrix Organisation
18 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Company
Name
Risk
Response
Site
Org. Unit
Main challenges
19 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
1. Decentralised operational risk management
2. Matrix organisation
Pictet Methodology
P
i
c
t
e
t
G
r
o
u
p
P
o
l
i
c
y
f
o
r
O
p
e
r
a
t
i
o
n
a
l
R
i
s
k
s
Because full organisation requires to download 1544
organisational units, others challenges were:
- Response time was too long for users with limited
access (Unit Risk Managers)
- Temporary solution : partial organisation
loaded into SAP-GRC only (567 org units)
- SAP has improved response time
- Automatic update of the organisation
5
Results of SAP-GRC implementation
20 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Outcomes of the project
Positive:
Pictet Methodology fits in SAP-GRC (risk
valuation, risk categories)
Ops Risk Mgmt Framework more robust
Time saving: less administrative tasks
more added-value works
Heatmap immediate reporting tool, with
extended drill down / selection capabilities
Unique Ops Risks Register
Negative:
SAP-GRC seemed not matured enough:
we encountered a lot of bugs which tend to
demonstrate the tool was not tested
extensively. Examples:
Impossible to remove a Response from a
Risk
Risk Aspect worked on Org. Name, not Org.
ID
Ergonomics not user friendly
Graphical view incomplete
Response can be saved without compulsory
info (name)
But good reactivity of SAP to correct bugs
21 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Most desired improvements
Response time
Automatic update of Organisation / Risk Thresholds
Underlying Risks: possibility to include or exclude them in the Heatmap
Validity extension of a Risk
22 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Implementation of SAP-GRC with the Pictet Group
23 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Questions ?
Thank you for your attention